Bind/Named 9.9 auth-nxdomain question

Tony Finch dot at dotat.at
Fri Nov 10 16:38:57 UTC 2017 

Filipe Cifali <cifali at kinghost.com.br> wrote:
>
> I'm trying to have an Auth Server that says the auth flags ('aa') even on
> NXDOMAIN.

BIND (well, all DNS servers) have to do that. It doesn't need to be
configured. See the first example dig output below.

However the example query in your first message did not seem to match what
you are asking for. You were querying for a domain for which your server
was not authoritative, so it tried to recurse, but failed (some kind of
firewall?). Usually on an auth-only server you should disable recursion,
so your example query would return REFUSED. See the second example dig
output below.


> This is what the auth-nxdomain should do I suppose.

No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
recursive answers, for bug compatibility with BIND 8.


; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk @authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nxdomain.cam.ac.uk.    IN A

;; AUTHORITY SECTION:
cam.ac.uk.              3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
                                1510329268 ; serial
                                1800       ; refresh (30 minutes)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )

;; Query time: 1 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:27:05 GMT 2017
;; MSG SIZE  rcvd: 93


; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth @authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;notauth.               IN A

;; Query time: 0 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:34:11 GMT 2017
;; MSG SIZE  rcvd: 25


Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
rough, occasionally high in north. Showers. Good.

More information about the bind-users mailing list